Fix code scanning alert #514: Client-side cross-site scripting

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
bitpredator · Sep 23, 2024 · 95ae352 · 95ae352
1 parent bc503e5
commit 95ae352
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 3 deletions.
diff --git a/package.json b/package.json
@@ -1,5 +1,8 @@
 {
   "devDependencies": {
     "eslint": "^9.10.0"
+  },
+  "dependencies": {
+    "dompurify": "^3.1.6"
   }
 }
diff --git a/server-data/resources/[esx_addons]/esx_garage/nui/js/app.js b/server-data/resources/[esx_addons]/esx_garage/nui/js/app.js
@@ -1,3 +1,5 @@
+import DOMPurify from 'dompurify';
+
 $(window).ready(function() {
 	window.addEventListener('message', function(event) {
 		const data = event.data;
@@ -19,12 +21,12 @@ $(window).ready(function() {
 
 				if (data.poundCost != undefined) {
 					$('.content .vehicle-list').html(
-						getVehicles(data.locales, data.vehiclesList, data.poundCost),
+						DOMPurify.sanitize(getVehicles(data.locales, data.vehiclesList, data.poundCost)),
 					);
 				}
 				else {
 					$('.content .vehicle-list').html(
-						getVehicles(data.locales, data.vehiclesList),
+						DOMPurify.sanitize(getVehicles(data.locales, data.vehiclesList)),
 					);
 				}
 
@@ -42,7 +44,7 @@ $(window).ready(function() {
 				if (data.poundCost) $('#container').data('poundcost', data.poundCost);
 
 				$('.impounded_content .vehicle-list').html(
-					getImpoundedVehicles(data.locales, data.vehiclesImpoundedList),
+					DOMPurify.sanitize(getImpoundedVehicles(data.locales, data.vehiclesImpoundedList)),
 				);
 				$('.impounded_content h2').hide();
 			}